Overview

overview

10

Static

static

download.exe

windows7_x64

10

download.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-04-2021 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    download.exe

  • Size

    882KB

  • MD5

    c65ce4ba6d977022056272ffc86f51d4

  • SHA1

    3811485a7d4ad5f551d844b81e15f44f00515cba

  • SHA256

    194d34ae7ddcfa9918c1230cda4615d275baf0bb1a2bb2e0c2c5fb70a87ff4fa

  • SHA512

    7792da612d84add79a3972f72a9580ab6a72e9624de43d708cf014d391ead9c415b7362853c18b6a855960bb000928a850b71f9a966575db9c2650094edf38d7

Score
10/10
avaddonevasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.html

Family

avaddon

Ransom Note
Your network has been infected by Avaddon All your documents, photos, databases and other important files have been encrypted and you are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software - Avaddon General Decryptor . Only we can give you this software and only we can restore your files! You can get more information on our page, which is located in a Tor hidden network. How to get to our page Download Tor browser - https://www.torproject.org/ Install Tor browser Open link in Tor browser - dYfWDRncG.avaddonbotrxmuyl.onion/?uAuaZIE1Uc3SGG3p6xJBIDc01kIQ61 Follow the instructions on this page Your ID: MTU1LXhTVlM0bHlpWHBUM2lCbmwyLzBNNHhFM1VYa0hncnRzWGNJYzl4aDcwZzgzL1VnejJFWEVxQ0o1OTdMbWlHYUpsWWdURFNQYWI0ZllCWHNNWlo1bHdVaEFha2xXdVdVNndkeDMvZ05iUmp6R3pnTENtT2xmcGk3SE9QR1lIWnVGOHFlUStHRGNKb29iN3FRcTdMOFhiTkxTdlFNS0x1WWU2L0pKUG5ubXNsQTRRR1BhaitSYkNwc0g5SUFQVjVieDdSZDg3L3I2Y29NZjBwdWtsZFdpMDlLOFRsb1NPWUZTMUNZT0VRSGw0eVRuWlloWUR3Q0Rka3g2czRVajdOVHJsampZRXdVUlJXS01vaXhXTmQvQ2ZwL3ducW0rbmFRYnZsNnBTdWhnbURCMUwyclJiVkNLMVFGYnZaNWxLTnJJbDFLSlFkb3I4V2JjZ2s5dFVsMEVISi9yWlFHRDQvL2JrU3lyQ3pGT3I5WWlKNnJnQ0gxdEVUK1oxTU5SUmRGbUEvd1NOMXZxT0VqVzVFd3VXNlVFdEtUdVgzOE92SmV6aUJhaFh2M3ZvcklKdDBvVGNUREc4VkhMUTVKSm5xZGNIYVZHRVphYVN4Rjk2WGZLc0toODRid0JpTjBFMDVpdW53N0JISFU0bWNRV2ZJTUZDOFJOZS9zSytZNVhpZFNSOUVIWXNtSFRpQ3MxTVpHcFBkM1BTM1NuWjNIM3VZN2pBWnV5S2ZNZE5jSjMzR29QeEszSHNCNkNzT0FJaXVERVBzS2pvOUdEY0hkWisxbXNuZUZleXV4ZGNmUzZGRzRZN2lWdU5WcnVwY1VRMlgyem50N3QwTy9FVC9BY0F3UGNrZkxTOGJ4TS90akNySXExeUo5Z0NzMVlzLzhueWFXL1RtZVdrZm9jcGpuc1c2OUNWaVliUFFINDNOYmVIdDl4OXg4TGNJbkV0aDdONkxXL3FINGU5ZTVvbWlRbVRBRHd5UjN4RFZjdXc2VnViMHk4UXdHaTRSU2tUc2o1OFE1WGU4K3hMdHpoNEM0R0dCbkY2Z3VSWTdYaWF3V2NIeVR4clRkbFk2YmExMGE2U1lPVEgyODdvMjhGdVBKUU5RMlh1S21RTXRrYVl1ak9oTmt1N1ZiREJUcEhpWHFPeGppYk44WWxhdStoTHdjS3lsanBkZVZwQjdFdUVZNkd2OVFpYUxWK083bHJZeWY5TjN0T3Y4eGpkL0ZxeUNtbkNOQnBLalIvMk1lalJNekRiSTNsT0d6cm1vY0drdkNOTE1YRCtIcGpVVXhRT0pRSVVZZkJrcG5jWjA2V1lhQ3ptTDE2TDg5cWFsSVNZN202UGRJNFVVa2JQcmY5VEp4V0ZlRmRWSXplbTFWb2tORWp0SSt3Q1VHMnNPTWFtNSs0SmlLYUE1K1ZDM3lDMXRBRklkZVg5bW9YR21OM1g1UU9RZXNOdHl0SUoweVM5dFpnUE5zK3VtY2RiZEFiaVFLeGdZdFNJc2pwdVN1akp5dWQxeGhlT1habW5XTEFwTWV3TVk5eDM5QmNoRWUxSmwvOEpCMFFwaE5lbnBHT0tTdmZ4M3VJNUU2bEVXc3VZK3o1bVJuUmRBQWh0bzR3RnpVZW1rS3dEWHhiRVRtalRDNFE0MU9ZU2Z6U2pBWjRPUWVBdVFqbnJEYncwNU1KUitnR0tZbFdnTUhGQlFkRmxFMUljYUxTRmZRQ2RSa3R0dGR5QThmbHZWaWNFYTg0eGkvQWd0dXhyTGptcUxyQ1V4OUtIZDhOYzFQcjJLcFptemZPd2dkaWtHanlKV2hSWTNsSXlVbDRVcU50QTQ0MjZPT0YyU3ZmZmtDQzNSV3VoNlZuTTJJelJXdVl2RG0vZFhyVFo1VW5TNW83UTZWMkFrenhmZ0ZLOTBHWExzNlIyUnFVQlpJZ2U4b0RDTVltQWREYldra0pKRnpqWVc5T05JclhCRmc4ajNxazVDbzhkM09LcjQ3SFljazkySUpWSWRFaGdHTURiaGFXQkhWU21OTCttaFFldGZnektNbjZuVXNVdW9rNTI4QWV4TnZDUDk4b09FZ3prSG9PZ05Lc0dNWUNTb0xoZk5Mamo1RFpIa2s9 Do not try to recover files yourself! Do not modify encrypted files! Otherwise, you may lose all your files forever!

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

    ransomwareavaddon
  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 13 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\download.exe
    "C:\Users\Admin\AppData\Local\Temp\download.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2840
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 956
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3544
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1012
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1332
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1156
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1128
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3000
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1020
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3832
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1192
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1456
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1464
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1592
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:4048
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1412
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:4032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1692
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3668
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1340
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:776
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2244
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:208
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:580
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1752
      2⤵
      • Program crash
      PID:4084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 2060
      2⤵
      • Program crash
      PID:776
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2772
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3488
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:884
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4284
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    PID:4352
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4564
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

4
T1112

File Deletion

2
T1107

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\readme.html
    MD5

    f39635788507f9bfc4b770bb55b0d3d8

    SHA1

    a701ae0a63f7eda48d8f42e105e08ee834525bb9

    SHA256

    afb14233de11abdfeef5bdbb73f91f788fbd7de8a31c636e4dfa1df256f8fabc

    SHA512

    3dae5ba02183eef45bd9d8b06f56333f441e97a731e45a5072cd2f650c65d8dd60b2aef0cf0f6b006ea87618687f1dc8a0dffcfbc33e591e51dfef5fd7f32e8e

    Download Submit
  • memory/208-120-0x0000000000000000-mapping.dmp
    Download
  • memory/580-121-0x0000000000000000-mapping.dmp
    Download
  • memory/776-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1340-117-0x0000000000000000-mapping.dmp
    Download
  • memory/2244-119-0x0000000000000000-mapping.dmp
    Download
  • memory/2840-114-0x0000000001DC0000-0x0000000001ED9000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2840-115-0x0000000000400000-0x0000000001B46000-memory.dmp
    Filesize

    23.3MB

    Download
  • memory/3004-116-0x0000000000000000-mapping.dmp
    Download